- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Tue, 16 Jul 2013 18:06:59 -0700
- To: Nicholas Doty <npdoty@w3.org>
- Cc: John Simpson <john@consumerwatchdog.org>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
On Jul 16, 2013, at 3:52 PM, Nicholas Doty wrote: > Hi John and Roy, > > I just wanted to clarify some distinctions for your change proposal on security/fraud permitted use: > > One key difference is certainly adding the definition of graduated response and stating that it is preferred. There are a couple of other distinctions from the Editors' Draft text, and I wasn't sure how essential they are to the proposal. (If we can consolidate proposals, that will make the groups' decision-making easier.) > > 1. To the extent reasonably necessary vs. to the extent proportionate and reasonably necessary: > I believe the "proportionate" language came out of some concerns from our EU colleagues. Would you agree with including proportionate as well? In that case, I think the graduated-response-is-preferred language would explain the concept nicely. My guess is that what you mean by proportionate is the amount of data retained? I don't see how that is relevant here. EU laws don't have any notion of retaining a proportion of data relevant to security, AFAIK, and prosecution in the US would require complete retention of the applicable data. In any case, I think this is already covered by limiting the permitted use to what is reasonably necessary. If, in fact, we do encounter a situation where disproportionate data collection, retention, or use is also reasonably necessary, then I can assure the WG that the service will continue to collect that data regardless of DNT. To do anything else would invite attackers to send DNT:1 just to obtain the path of least protection. There is no incentive for companies to collect more data for this permitted use than necessary because the suggested text also restricts how the collected data can be used: "provided that such data is not used for operational behavior (profiling or personalization) beyond what is reasonably necessary to protect the service or institute a graduated response". > 2. "malicious, deceptive, fraudulent, or illegal activity" vs. "security risks and fraudulent or malicious activity" > Is deceptive necessary here? Would deceptive include use of anonymizing proxies, onion routing, or other network-related privacy measures? Or is it just aimed at malicious deception (like fraudulent automated impressions, say)? Hiding the origin of a request is not deception. Claiming a request is coming from an intranet host (via IP spoofing or Referer/Origin rewriting) would be deceptive if the request is actually received from some other network or referring site. Whether a given anonymizing proxy is being deceptive or not will depend on what it sends; most simply hide what is behind the proxy by removing data, rather than sending false data. It is often the case that we need to perform data collection just for the sake of providing fair queueing of non-malicious requests; e.g., http://www.nytimes.com/2013/05/27/business/media/bots-that-siphon-off-tickets-frustrate-concert-promoters.html In many cases, we don't know if traffic is malicious, fraudulent, or even illegal until several pages after the start of tracking. Again, the privacy protection here is with regard to how the data can be used and how long it can be retained. A lot of people assume that DNT is only going to affect advertising. While that is certainly where the money has been talking, my concerns are about third party subrequests in general, including the use of shared UI frameworks at well-known locations (e.g., common URIs for CSS or jQuery that are shared by many sites to reduce average initial latency) and the use of security services that do not qualify as service providers because they use patterns derived from data sent to multiple unaffiliated sites. The extent of what is reasonably necessary tracking for the permitted use of security is going to vary depending on what service is being protected and what attacks are encountered, which in turn will vary over time. I don't think it is useful for the WG to claim that can be further limited by DNT. ....Roy > > Thanks, > Nick > > Re: http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Security#WD-style_text_.2B_Graduated_Response
Received on Wednesday, 17 July 2013 01:07:15 UTC